March 2011 Report #51 In the economic world, the media uses the acronym “BRIC” (Brazil, Russia, India, and China) as emerging market leaders. In this month’s State of Spam & Phishing report, we take a look at whether those countries are also emerging market leaders of spam. Has spam coming from that bloc of countries increased or decreased over the last year? Have any of the countries in the bloc gained or lost spam market share? As forecasted in the last month’s report, average daily spam volume did increase for the first time since August 2010. The average daily spam volume increased 8.7 percent in February month-over-month. Overall, spam made up 80.65 percent of all messages in February, compared with 79.55 percent in January. The overall phishing increased by 38.56 percent this month. There was significant increase in some of the sectors of phishing mostly in automated toolkit and unique domains. Phishing websites created by automated toolkits increased by about 50.33 percent. Unique URLs increased by 33.73 percent, and phishing websites with IP domains (for e.g. domains like http://255.255.255.255) decreased by about 47.22 percent. Webhosting services comprised 13 percent of all phishing - an increase of 38.97 percent from the previous month. The number of non-English phishing sites saw a significant increase by 76.51 percent. Among non-English phishing sites, Portuguese, French, and Spanish were the highest in February. The following trends are highlighted in the March 2011 report: Examining “BRIC” for Spam 3D Secure Passwords for Recharging Mobile Airtime Mass Phishing on Credit Card Services Brand Using Fake SSL February 2011: Spam Subject Line Analysis Dylan Morss Executive Editor Antispam Engineering David Cowings Executive Editor Security Response Eric Park Editor Antispam Engineering Mathew Maniyara Editor Security Response Sagar Desai PR contact [email protected] Metrics Digest Global Spam Categories Spam URL TLD Distribution Average Spam Message Size Spam Attack Vectors Metrics Digest Spam Regions of Origin Geo-Location of Phishing Lures Geo-Location of Phishing Hosts Metrics Digest Phishing Tactic Distribution Phishing Target Sectors Examining “BRIC” for Spam We all know that “BRIC” countries (Brazil, Russia, India, and China) are the leaders of emerging market world. These countries have shown tremendous economic growth recently, and in turn have seen fast growth in broadband Internet. This growth in broadband use makes these countries vulnerable to botnets, a web of compromised computers. So we asked the question: where are they in terms of global spam output? The above chart, which shows spam origin percentage by each country, highlights three major trends: As a whole, BRIC’s spam market share declined over the last 15 months. Brazil made the most nominal improvement. Russia, on the other hand, gained spam market share. Over the last 15 months, EMEA has ranked consistently as the top region in global spam output. While a number of countries in EMEA region remained in the top ranking throughout the time period, one country stood out from the rest in gaining spam market share. Netherlands, which only sent 2.3 percent of global spam in November 2009, saw its spam output increase to 5.3 percent in February 2011. The figure was actually higher in June 2010, coming in at 6.3 percent. 3D Secure Passwords for Recharging Mobile Airtime Phishers are known for developing different strategies with the motive of duping users into believing that the phishing site is authentic and secure. Phishing sites are now seen asking for a 3D secure number. What is 3D secure number? A 3D secure number is a password that is only known to the bank and the buyer. In other words, during an online transaction, the merchant in question does not know this number. This number is essentially an additional password given separately to card holders specifically for the safety of online transactions. Many online transactions typically involve the use of credit/debit card numbers and the number on the back of the card. If anyone happens to see the card and copies or writes down these numbers found on the card, the card holder would be at risk of having his or her money stolen in online transactions. The use of a 3D secure password prevents such a risk, as it is a number not present anywhere on the card. The fact that the card numbers are entered by the owner of the card helps in authenticating. A 3D secure number reduces the risk in a situation where the card numbers are copied by other people. However, if the 3D secure number itself is given away by the user to a phishing site, the user’s money would still be at risk. Phishers are well aware of this and so prompt users to enter their 3D secure number along with other card details in phishing sites. Recently, one such example was observed where the phishing site prompted the user for credit card details and their 3D secure number for an online transaction. The bait was mobile phone airtime purchased online. The phishing site targeted customers in Turkey and the phishing pages were in Turkish. Also, the credit card details requested were of banks based in Turkey. The required information was the mobile phone number, amount of mobile phone airtime to be recharged, name of the bank, card holder’s name, credit card number, expiration date, CVV, and 3D secure password. To increase the appeal, the phishing page offered customers of two particular banks gifts worth $10 for every $20 purchased. Upon entering the information, the user was redirected to a page on the phishing site that asked for more user information. 3D Secure Passwords for Recharging Mobile Airtime (continued) The information asked in the second phishing page consisted of mother’s maiden name, card holder’s date of birth, customer or account number and password. The phishing page claimed that upon clicking the button at the bottom of the page, a password would be sent as an SMS to the user’s mobile phone. The user was warned that if incomplete information was entered, the operation would be disapproved, leading to the failure of the transaction. Below this button was a message stating that 3D secure card purchases are safe for online transactions and high encryption system provides protection against unauthorized use. This statement was obviously displayed to gain the user’s confidence. The third page of the phishing site asks for the password previously claimed to have been sent to the user by SMS. The phishing page also notifies the user that the SMS may take one to five minutes to reach the user and requests that the page not be closed. Of course, this is just a ploy and the user wouldn’t receive a password. The phishing URL used IP domains (for example, domains like http://255.255.255.255). The phishing site was hosted on servers based in the state of Orlando, USA. Mass Phishing on Credit Card Services Brand Using Fake SSL In February, Symantec observed a mass phishing attack on a popular credit card services brand. There were a large number of phishing URLs in the attack, which were all secured using Secure Socket Layer (SSL). So what makes this phishing attack stand out from the rest? Phishing websites that use SSL are uncommon and are typically seen in very small numbers. To create a phishing site that uses SSL, the phisher would either have to create a fake SSL certificate or attack a legitimate certificate to attain an encryption for the site. In both cases, Symantec has observed that phishing sites using SSL are less frequent. In this particular attack, there were over a hundred phishing URLs that used a fake SSL certificate. This was achieved by hosting the phishing site on one single IP address which resolved to several domain names. That is, although there were abundant URLs in the attack, they all resolved to a single IP address and contained the same webpage. The SSL certificate was an expired one, with its issue date of the year 2006 and an expiration date of 2007. The phisher’s primary motive behind creating an encrypted phishing site is to help the site appear authentic and to convince users that the site is safe. The phishing site spoofed a credit card services brand, which targeted customers of Switzerland and its phishing pages were in French. End-users were also asked to provide login credentials of a popular e-commerce brand. Hence, phishers attempted to harvest confidential information of two brands with the same phishing attack. The phishing site was hosted on servers based in the state of California, USA. The phishing site asks for the confidential information in a two-step process. The first step is an identity verification of the user. Here, the user is asked to enter name, date of birth, address, email with password of the e-commerce brand, and mother’s maiden name. The second step asks for banking data including bank name, bank ID, name of card holder, card type, card number, personal code, card expiration date, and CVV number. Upon entering the requested information, the phishing site redirects to a blank webpage. If users fell victim to the phishing site, phishers would have stolen their information for financial gain. February 2011: Spam Subject Line Analysis 419 spam messages are usually smaller attacks, rather than millions of messages sent with same subject line. This could explain why these attacks are not seen in the above analysis despite the fact that the category saw 5 percentage point increase month-over-month. Nevertheless, Symantec observed many 419 spam attacks which leveraged current events. Checklist: Protecting your business, your employees and your customers Do Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. Deselect items you do not want to receive. Be selective about the Web sites where you register your email address. Avoid publishing your email address on the Internet. Consider alternate options – for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services. Using directions provided by your mail administrators report missed spam if you have an option to do so. Delete all spam. Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed websites. We suggest typing web addresses directly in to the browser rather than relying upon links within your messages. Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection visit http://www.symantec.com. Consider a reputable antispam solution to handle filtering across your entire organization such as Symantec Brightmail messaging security family of solutions. Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is located here. Do Not Open unknown email attachments. These attachments could infect your computer. Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam. Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message). Buy products or services from spam messages. Open spam messages. Forward any virus warnings that you receive through email. These are often hoaxes. * Spam data is based on messages passing through Symantec Probe Network. * Phishing data is aggregated from a combination of sources including strategic partners, customers and security solutions.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project